Struggling with web GUI usability with links in new tabs
Hi, there's thing thing with the web GUI for a BIG-IP that slows me down terribly, if I want, let's say, to open multiple tabs of different virtual servers, I have to do it slooooooowly, I can't open 10 tabs in like 2 seconds because the web GUI somehow needs to load everything before accepting a new link, if I open virtual server A in a new tab I have to wait for it to fully load before opening vs B because if I don't, it'll load vs B in both tabs, is there any way to prevent this from happening? It's pretty infuriating. Also is there a way to make the web GUI not work as an SPA? I know there's the "link to this page" thing in the gear icon for each page, but I just want to have my tabs with the absolute URL, not hxxps://host/xui. Thanks.
RDP persistence with SNAT
Hi, rather than using an RDS broker service, is there a simpler way to persist and equally load balance traffic to an RDP vip which is a resource on APM? Our setup is: client connects to APM On APM there is a webtop using native RDP which points at the IP address of an LTM VIP on the same F5. LTM vip sees the F5 SNAT IP, I cannot pass any cookie, header, or even custom rdp parameter from APM to the LTM vip so there is no way to persist on anything unique. LTM cannot see the username, apparently if even a blank apm profile is bound to the LTM vip I can see things like sso username, however if I enabled apm then the vip makes ssl profile mandatory which then breaks rdp. Any other ways to do this or is it impossible?
F5 i-series Guests to r-series tenants migration
Hi All, I have two i-series 11900 with 4 guests on each as: 1 LTM, 1 GTM, 1 WAF, and 1 APM. There is HA between the guests. I am working on a migration plan to r-series 10900 and have two options: Option 1: HA method: Here, I will replace the i-series device that has the standby guests with the r-series device. Then will establish the HA between the active i-series and the r-series and sync the configuration. Then will make the r-series active as active. Then will replace the newly bocming standby i-series device with the second r-series and establish the HA with the first r-series. this is a lengthy way but has a positive side of fast rollback in case I faced any issue, and there will be no changes on the management IPs. Option 2: UCS method: in this method I will create a replica of the existing guests on the r-series tenants using the UCS files from the iseries guests. This setup will be isolated from the production network. During the maintenance window, I will disconnect the cables from i-sereis and connect it to the r-series boxes. This way I need to use different management IPs while building the replica setup. and during the migration will change the management IPs and use the onse were on the i-series. Note that, existing devices are connected to cisco ACI. Let me here your thoughts and suggestions.
Impact of client.crt and server.crt expiration
My device is currently running on L4 A-S. The client.crt and server.crt expire in 2027.05. DTDI and DTCA expire in 2035. 1. If client.crt and server.crt expire, will it affect HA or config sync? 2. If I need to update, I'll do it via CLI. Will it affect HA and config sync? I'm wondering if I need to set up new redundancy or reboot, or anything like that. This is a very sensitive service, so there may not be a maintenance window, so I wanted to notify you in advance.BigIP/IQ Security Compliance Scanner
Hello All, I would like to initiate a discussion about a personal project I am developing. The following description of the project's goal will be an overview rather than a low-level description of how it will function. The project centers on a tool (desktop application/web app) that will allow F5 BigIP/IQ administrators/engineers to upload XML/JSON documents. The XML/JSON will contain a specific schema for security settings that the application parses and translates into iControl REST API calls or TMSH commands via SSH to verify if the BigIP/IQ server is configured with a particular setting. Below are some examples to help demonstrate the overall concept. Example: User uploads XML document that contains the following security settings <?xml version="1.0" encoding="UTF-8"?> <Settings> <OnDemandCertAuth> <VerifyText>Run the below command in TMSH</VerifyText> <Action>tmsh modify sys httpd auth-pam-validate-ip on</Action> <Action>tmsh save sys config</Action> </OnDemandCertAuth> </Settings> Now that the doc is uploaded, the app parses the XML for the "<Action>" element, then creates the related tmsh show command or potential iControl REST API call to verify if httpd is validating IPs on standard auth to the GUI, in this example. Depending on the data returned from TMSH or the API, the application would then present the user with a table in the GUI that shows the checks that passed and failed. Then they could remediate the system to have the correct security setting for compliance. Lastly, I'd like to provide a bit more background on the inspiration for this tool. I work a lot in the federal space, where we have to make sure our F5 products meet a baseline security standard. Currently, there are no tools that automate this like there are for Windows products, etc. If you have ever used the SCAP tool for DISA STIGs, then you'll understand the overall goal of this project. Thank you for taking the time to review my post to the community. I'd love to hear your feedback!
RDP Webtop deployment
Hello, I am trying to deploy a webtop with an RDP resource assigned and I have two questions: For the RDP resource destination, is it advisable to use as destination a virtual server (RDP 3389) with a pool of multiple rdp session hosts - hosted on the same f5? Following the guide (Configuring Remote Desktop Access), I see that an RDG policy assignment is used. Is this really necessary? I have deployed without it and it works without an issue. What are the advantages? Because in my experience the Client Type is never Microsoft RDP Client ( I tested and it always matches the fallback) Thanks,
